Malware Analysis Report

2025-08-10 22:23

Sample ID 240202-111s2ahaa3
Target 8aa8233e3feb0959267b8295240d1928
SHA256 36e7017aab2badf6f175743a120ba4ef3eb081310f7d18a60f8b459f46ff1093
Tags
adware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

36e7017aab2badf6f175743a120ba4ef3eb081310f7d18a60f8b459f46ff1093

Threat Level: Shows suspicious behavior

The file 8aa8233e3feb0959267b8295240d1928 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer upx

Loads dropped DLL

UPX packed file

Executes dropped EXE

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 22:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-02 22:07

Reported

2024-02-02 22:10

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\新云软件.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\新云软件.url

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 22:07

Reported

2024-02-02 22:10

Platform

win7-20231215-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ip.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA68D} C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA68D}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MSINET.OCX C:\Users\Admin\AppData\Local\Temp\ip.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\system\flash10.dll C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25 C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MAO Settings C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\1 C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25\Visible = "0" C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID\ = "InetCtls.Inet.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "FlashPlayer.Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.Class\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\System" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\ = "Microsoft Internet Transfer Control 6.0 (SP6)" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control 6.0 (SP6)" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control 6.0 (SP6)" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.Class C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.Class\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ = "_Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2740BE0CB97A22380960230E8F45FE5ABB8BB501 C:\Users\Admin\AppData\Local\Temp\ip.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2740BE0CB97A22380960230E8F45FE5ABB8BB501\Blob = 0300000001000000140000002740be0cb97a22380960230e8f45fe5abb8bb50120000000010000004e0200003082024a308201b3a0030201020210dcca5610c590c29b4e3072e09d524260300d06092a864886f70d01010405003030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303039204341301e170d3939303933303136303030305a170d3336303731363136303030305a3030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e67203230303920434130819f300d06092a864886f70d010101050003818d0030818902818100ac35c135556bfbe9aa23267d193307a3d21e3c3975848ed762eea3ac46b3c2f219ee14aaef982c692a53c3a930f5b96bed2665d352e97a4f466b46585a0badd07e8302cf2758082a709ccceda363371e975a3ddbd22c393f86838e8e28300db13ccb51b2a27362fa5704458d31700b7979c3f553daa841d25c1b80eba3055f350203010001a365306330610603551d01045a3058801012b5fcd50cba242caede5742b3d426fca1323030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e6720323030392043418210dcca5610c590c29b4e3072e09d524260300d06092a864886f70d0101040500038181001ec29560ca4e3b696815d43a65d7d3c05fb597f979d8f31c07820b06ec6d72e199321111165afec24e065c7cfe436e07aaa1a7958a7d588bb6f072fed284984bf632390e0452bb49faaac5b7a19662fc15d3884e8c1ca2fd6401289183ecc161520c79e3ba53e1cc5fca9726cf8cd6f93efca2f5a63d91f80f6ab91df0fb9f24 C:\Users\Admin\AppData\Local\Temp\ip.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Users\Admin\AppData\Local\Temp\Update.exe
PID 2856 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Users\Admin\AppData\Local\Temp\Update.exe
PID 2856 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Users\Admin\AppData\Local\Temp\Update.exe
PID 2856 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Users\Admin\AppData\Local\Temp\Update.exe
PID 2856 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Users\Admin\AppData\Local\Temp\Update.exe
PID 2856 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Users\Admin\AppData\Local\Temp\Update.exe
PID 2856 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ip.exe C:\Users\Admin\AppData\Local\Temp\Update.exe
PID 2848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ip.exe

"C:\Users\Admin\AppData\Local\Temp\ip.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\system32\MSINET.OCX"

C:\Users\Admin\AppData\Local\Temp\Update.exe

C:\Users\Admin\AppData\Local\Temp\Update.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\Common Files\System\flash10.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ip138.com udp
GB 163.171.130.132:80 www.ip138.com tcp
US 8.8.8.8:53 sewer.ip138.com udp
CN 59.57.14.11:80 sewer.ip138.com tcp
CN 110.81.155.137:80 sewer.ip138.com tcp
CN 110.81.155.138:80 sewer.ip138.com tcp

Files

C:\Windows\SysWOW64\MSINET.OCX

MD5 90a39346e9b67f132ef133725c487ff6
SHA1 9cd22933f628465c863bed7895d99395acaa5d2a
SHA256 e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2
SHA512 0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

\Users\Admin\AppData\Local\Temp\Update.exe

MD5 2242ed5625415d45e82a0c52504ce648
SHA1 236da61ec0c1a9beba1441024aa07d84e6672f23
SHA256 c2df0e1046b8b8757e662abfad36f5554482a530cae7fda6695217a9b87b0bf2
SHA512 4cafa5c70a4d50d1f0f0b0380baae17663cf9a84ff921035759ca5f17e6832d6676149162568392b7c2d5500e7c303a45537d4c878ae5334f8b627eb686ec789

memory/2856-8-0x00000000003C0000-0x00000000003E8000-memory.dmp

memory/2848-15-0x0000000000230000-0x0000000000258000-memory.dmp

C:\Program Files (x86)\Common Files\System\flash10.dll

MD5 0cfeace58c8dcd1f25563eb06abde248
SHA1 2ce3b78c1f7aa56f04f4d0703f6a92a413f6c852
SHA256 405bc36e331f6a828a527ce71d3f195e472e551e109a1a9c258426fe03f719d9
SHA512 9d1188dced20be101f1a480f40904575d8704c55b73d898232b4f761fadf0b6542a3c98976467a2de279587013b1b6bd6fe6820f806a2b2e3d7cea293f377e06

memory/2848-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2848-23-0x0000000000230000-0x000000000023D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 22:07

Reported

2024-02-02 22:10

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ip.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ip.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA68D} C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA68D}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\MSINET.OCX C:\Users\Admin\AppData\Local\Temp\ip.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\system\flash10.dll C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25 C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1 C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25 C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\Category\1\ColumnProp\25\Visible = "0" C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "FlashPlayer.Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\ = "Microsoft Internet Transfer Control 6.0 (SP6)" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\System" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control 6.0 (SP6)" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\System\\flash10.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ = "_Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control 6.0 (SP6)" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.Class\ = "FlashPlayer.Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "FlashPlayer.Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS\ = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3ADCD351-7F41-4D06-A1D9-7F8EEC48F498} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269EADEF-9DF6-40BF-8EF0-13A9FF9DED1D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2740BE0CB97A22380960230E8F45FE5ABB8BB501 C:\Users\Admin\AppData\Local\Temp\ip.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2740BE0CB97A22380960230E8F45FE5ABB8BB501\Blob = 0300000001000000140000002740be0cb97a22380960230e8f45fe5abb8bb50120000000010000004e0200003082024a308201b3a0030201020210dcca5610c590c29b4e3072e09d524260300d06092a864886f70d01010405003030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303039204341301e170d3939303933303136303030305a170d3336303731363136303030305a3030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e67203230303920434130819f300d06092a864886f70d010101050003818d0030818902818100ac35c135556bfbe9aa23267d193307a3d21e3c3975848ed762eea3ac46b3c2f219ee14aaef982c692a53c3a930f5b96bed2665d352e97a4f466b46585a0badd07e8302cf2758082a709ccceda363371e975a3ddbd22c393f86838e8e28300db13ccb51b2a27362fa5704458d31700b7979c3f553daa841d25c1b80eba3055f350203010001a365306330610603551d01045a3058801012b5fcd50cba242caede5742b3d426fca1323030312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e6720323030392043418210dcca5610c590c29b4e3072e09d524260300d06092a864886f70d0101040500038181001ec29560ca4e3b696815d43a65d7d3c05fb597f979d8f31c07820b06ec6d72e199321111165afec24e065c7cfe436e07aaa1a7958a7d588bb6f072fed284984bf632390e0452bb49faaac5b7a19662fc15d3884e8c1ca2fd6401289183ecc161520c79e3ba53e1cc5fca9726cf8cd6f93efca2f5a63d91f80f6ab91df0fb9f24 C:\Users\Admin\AppData\Local\Temp\ip.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ip.exe

"C:\Users\Admin\AppData\Local\Temp\ip.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\system32\MSINET.OCX"

C:\Users\Admin\AppData\Local\Temp\Update.exe

C:\Users\Admin\AppData\Local\Temp\Update.exe

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\Common Files\System\flash10.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.ip138.com udp
GB 163.171.130.132:80 www.ip138.com tcp
US 8.8.8.8:53 sewer.ip138.com udp
CN 59.57.14.11:80 sewer.ip138.com tcp
US 8.8.8.8:53 132.130.171.163.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
CN 110.81.155.137:80 sewer.ip138.com tcp
CN 110.81.155.138:80 sewer.ip138.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\MSINET.OCX

MD5 90a39346e9b67f132ef133725c487ff6
SHA1 9cd22933f628465c863bed7895d99395acaa5d2a
SHA256 e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2
SHA512 0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

C:\Users\Admin\AppData\Local\Temp\Update.exe

MD5 2242ed5625415d45e82a0c52504ce648
SHA1 236da61ec0c1a9beba1441024aa07d84e6672f23
SHA256 c2df0e1046b8b8757e662abfad36f5554482a530cae7fda6695217a9b87b0bf2
SHA512 4cafa5c70a4d50d1f0f0b0380baae17663cf9a84ff921035759ca5f17e6832d6676149162568392b7c2d5500e7c303a45537d4c878ae5334f8b627eb686ec789

memory/3644-8-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Program Files (x86)\Common Files\System\flash10.dll

MD5 0cfeace58c8dcd1f25563eb06abde248
SHA1 2ce3b78c1f7aa56f04f4d0703f6a92a413f6c852
SHA256 405bc36e331f6a828a527ce71d3f195e472e551e109a1a9c258426fe03f719d9
SHA512 9d1188dced20be101f1a480f40904575d8704c55b73d898232b4f761fadf0b6542a3c98976467a2de279587013b1b6bd6fe6820f806a2b2e3d7cea293f377e06

memory/3644-15-0x0000000000400000-0x0000000000428000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-02 22:07

Reported

2024-02-02 22:10

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\新云软件.url

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\新云软件.url

Network

N/A

Files

memory/1968-0-0x0000000000230000-0x0000000000231000-memory.dmp